W3C Strategic Highlights: Web for All (Security, Privacy, Identity)

(This post is part of a series recapping the October 2018 W3C Strategic Highlights and includes some updates since that report.)

This has been an exciting year for Web privacy and security activities at W3C:

• W3C held workshops to address the privacy, security, and usability challenges presented by powerful hardware sensors, device capabilities, and APIs (Permissions and User Consent Workshop, September 2018) and how strong identity and strong authentication should work on the Web (Strong Authentication & Identity Workshop, December 2018).
• The Web Authentication API - which helps eliminate phishable passwords - has been published as Recommendation.
• We published revised self-review guidance on security and privacy: the Self-Review Questionnaire: Security and Privacy has been updated by the Privacy Interest Group (PING), working with the TAG.
• The Privacy Interest Group (PING) is offering reviews for specifications earlier in their development cycle (e.g. during WIGC review).

Simpler and Stronger Authentication on the Web

W3C's Web Authentication API makes great progress toward eliminating phishable passwords. We are replacing passwords - which can be stolen - with site-specific credentials based on public key cryptography which can be stored in special hardware devices. The key innovation is in usability. Current two-factor authentication (2FA) systems are so inconvenient that they are typically only used for special occasions, e.g. when a user switches computers or browsers. By contrast, Web Authentication is usable enough to be used every time a user needs to log in. Web Authn can, if a site chooses, completely replace passwords - it can be used as single-factor authentication. The Web Authentication API was published as a REC early March. It is implemented in every major browser (WebKit/Safari has it in a "preview" release), in Windows 10 and Android.

Earlier privacy reviews

The Privacy Interest Group (PING) has begun looking at specs in incubation (e.g. coming through the WICG). PING recognized that feedback on privacy is often more helpful earlier in a specification's development lifetime, and it is making an effort to offer that feedback. If you have a spec that you would like PING to review, please contact the IG chairs.

Security reviews

Security reviews are being done by volunteer reviewers. To request review, write to the public-web-security@w3.org list. More reviewers would also be welcome. Contact Samuel Weiler if interested.